Is there a public PoC exploit available for CVE-2026-40192?

Yes, a public proof-of-concept exploit is available for CVE-2026-40192. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-40192?

Within 24 hours: Inventory all systems running Pillow versions 10.3.0-12.1.x (check requirements.txt, package manifests, and dependency trees). Within 7 days: Upgrade Pillow to version 12.2.0 or later across development, staging, and production environments; verify through dependency scanning tools. Within 30 days: Implement input validation and size limits on GZIP decompression in any legacy code paths that cannot be immediately updated, and conduct regression testing on image processing workflows.

CVE-2026-40192

Q: What is the CVSS score of CVE-2026-40192?

CVE-2026-40192 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

HIGH

Allocation of Resources Without Limits or Throttling (CWE-770)

2026-04-13 https://github.com/python-pillow/Pillow

GHSA-whj4-6x5x-4v2j

Denial Of Service

8.7

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Red Hat

7.5 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

Apr 22, 2026 - 20:08 vuln.today

Public exploit code

Re-analysis Queued

Apr 15, 2026 - 23:22 vuln.today

cvss_changed

CVSS changed

Apr 15, 2026 - 23:22 NVD

8.7 (HIGH)

Analysis Generated

Apr 15, 2026 - 12:34 vuln.today

Analysis Generated

Apr 13, 2026 - 19:30 vuln.today

Patch released

Apr 13, 2026 - 19:30 nvd

Patch available

CVE Published

Apr 13, 2026 - 19:22 nvd

HIGH 8.7

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

355 pypi packages depend on pillow (296 direct, 65 indirect)

Ecosystem-wide dependent count for version 10.3.0.

DescriptionGitHub Advisory

Impact

Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).

Patches

The amount of data read is now limited to the necessary amount. Fixed in Pillow 12.2.0 (PR #9521).

Workarounds

Avoid Pillow >= 10.3.0, < 12.2.0 Only open specific image formats, excluding FITS.

AnalysisAI

Unbounded GZIP decompression in Pillow's FITS image parser enables remote denial-of-service via crafted image files. Pillow versions 10.3.0 through 12.1.x process FITS images without limiting decompression output, allowing attackers to trigger out-of-memory crashes or severe performance degradation through maliciously compressed images. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Upload crafted FITS file →

Access

Upload crafted FITS file →

Vulnerability AssessmentAI

Exploitation	The target system must use Pillow versions 10.3.0 through 12.1.x AND process FITS image files from untrusted sources. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is moderate despite the trivial exploitation path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a FITS file with a small GZIP-compressed payload (few kilobytes) that decompresses to gigabytes of data, then submits it to a web application's image upload endpoint powered by Pillow. When the application attempts to process or validate the image using Pillow's Image.open(), the library reads and decompresses the entire payload into memory without limit checks. …
Remediation	Upgrade Pillow to version 12.2.0 or later immediately using pip install --upgrade pillow==12.2.0 or equivalent package manager commands. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Pillow versions 10.3.0-12.1.x (check requirements.txt, package manifests, and dependency trees). …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
SUSE Linux Enterprise Desktop 15 SP7	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7	Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7	Fixed
SUSE Linux Enterprise Server 15 SP7	Fixed

CVE-2026-40192 vulnerability details – vuln.today

Back

SUSE Linux Enterprise Server 16.0	Fixed
SUSE Linux Enterprise Server 16.1	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7	Fixed
SUSE Linux Enterprise Server for SAP applications 16.0	Fixed
SUSE Linux Enterprise Server for SAP applications 16.1	Fixed
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS	Fixed
SUSE Linux Enterprise Module for Python 3 15 SP4	Fixed
SUSE Linux Enterprise Module for Python 3 15 SP5	Fixed
SUSE Linux Enterprise Module for Python 3 15 SP6	Fixed
SUSE Linux Enterprise Server 15 SP4	Fixed
SUSE Linux Enterprise Server 15 SP4-LTSS	Fixed
SUSE Linux Enterprise Server 15 SP5	Fixed
SUSE Linux Enterprise Server 15 SP5-LTSS	Fixed
SUSE Linux Enterprise Server 15 SP6	Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6	Fixed
SUSE Manager Proxy 4.3	Fixed
SUSE Manager Retail Branch Server 4.3	Fixed
SUSE Manager Server 4.3	Fixed
SUSE Linux Enterprise Desktop 15 SP4	Fixed
SUSE Linux Enterprise Desktop 15 SP5	Fixed
SUSE Linux Enterprise Desktop 15 SP6	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP6	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP4	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP5	Fixed
openSUSE Leap 15.3	Fixed
openSUSE Leap 15.4	Fixed
openSUSE Leap 15.5	Fixed

CVE-2026-40192

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

Impact

Patches

Workarounds

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code